The Tor network is a global, decentralized system that routes data through thousands of volunteer-operated relays in a multi-hop path, commonly called an onion circuit. Users of the Tor Browser leverage this onion routing—where each of the three hops (entry, middle, and exit relay) adds a layer of encryption—to communicate privately, bypass censorship, and prevent ISP-level tracking. This anonymity is crucial for journalists, dissidents, activists, and generally privacy-conscious individuals, though it is also leveraged by cybercriminals.
The decision to replace tor1 stems from its aging cryptography. Developed when cryptographic standards were less advanced, tor1 presented several security weaknesses that made the network susceptible to modern attacks. This upgrade aims to make the entire circuit traffic more resilient against breaches that could compromise user data and reveal their identity.
One critical flaw in the original tor1 design was its use of AES-CTR encryption without hop-by-hop authentication. This resulted in malleable relay encryption, which meant an attacker controlling multiple relays could modify the traffic between them and observe predictable changes—an internal covert channel attack known as a tagging attack. Furthermore, tor1 offered only partial forward secrecy by reusing the same AES keys for a circuit’s entire lifetime, enabling decryption of all past traffic if those keys were ever stolen. Lastly, tor1 employed a weak 4-byte SHA-1 digest for cell authentication, creating a detectable but non-trivial probability of successful cell forgery.
The new Counter Galois Onion (CGO) design specifically addresses these vulnerabilities. CGO is built on a robust cryptographic construction known as UIV+ and meets modern security requirements, including high tagging resistance and immediate forward secrecy. CGO thwarts tagging attacks by utilizing wide-block encryption and tag chaining, ensuring that any tampering makes the entire current cell and all subsequent cells unrecoverable. For enhanced forward secrecy, CGO updates the encryption keys after every single cell transmission, guaranteeing that the exposure of a current key does not compromise past traffic.
In addition to key and tagging improvements, CGO dramatically strengthens authentication by entirely removing SHA-1 and replacing it with a 16-byte authenticator. CGO also enforces circuit integrity by chaining an encrypted tag and an initial nonce across cells, making each cell’s integrity dependent on all preceding cells. The Tor Project is currently integrating this modern, research-based encryption and authentication system into both the C Tor implementation and its Rust-based client, Arti, though a definitive timeline for its full, default deployment for Tor Browser users has not been provided.
Reference:
